Table of Contents

knockd server

Knockd is a port knocking daemon, a program that listens for specific packets on specific ports, and will run a command when it hears the correct sequence. It is used to hide ports from public view for better privacy/security.

knockd automatically replaces %IP% with the IP address of the client that sent the knock, so you can open the port only to the authorized client.

This controls access to port 22 on the router, but it's not compatible with OpenWRT's iptables setup, and I don't want to SSH into the router, I want to use it to enable port forwarding to an SSH server inside my network.

Using it to manage port forwards is a bit more complicated. It requires several iptables rules to be enabled. I made a script that puts all the necessary commands together:

The command can be used as follows, where xxx.xxx.xxx.xxx is the IP address of your ssh server you want to forward to and %IP% is the IP of the client you want to allow:

./forward.sh 22 %IP% xxx.xxx.xxx.xxx -I

to create a port forward

./forward.sh 22 %IP% xxx.xxx.xxx.xxx -D

to disable a port forward.

This script was developed for OpenWRT Attitude Adjustment. The iptables commands may be different in other versions due to changes in structure. To figure out the necessary commands I created a port forward using the web GUI and used the iptables-save command to list the iptables rules that each forward generates. I had to add -t nat to the end of some of them. Also, I can't guarantee that this is the preferred or most elegant solution, but it works for me.

I have created script that creates port forwards and port open using standard uci command. This creates rules that are visible in luci but do have somewhat cryptic names. For this you need to use uciknockd.sh and second knockd.conf sample.

Client configuration

There are plenty of different port knocking clients available for all platforms, including Windows, Linux, OSX, and even Android.

This script, uciknockd.sh, will create forwarding and port open rules in uci configuration so you will be able to see from luci which ports are open. If you trigger openSSH from ip 1.1.1.1 in luci you will have rule with name KnockdSSH_1.1.1.1_22, etc. CloseSSH rule deletes it from uci and iptables. uciknockd.sh and knockd.conf scripts should be placed in /etc directory. Don't forget to make uciknockd.sh executable chmod 755 /etc/uciknockd.sh.